Security Incidents mailing list archives

Re: Lots of rpc.statd probes lately

From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Thu, 1 Mar 2001 14:53:58 -0600

On 3/1/01 1:18 PM James Paterson said...

I would suggest quite the opposite, I am sure that the number of exploitable
boxes being added every minute by far exceeds those that are properly
secured,
and the number of machines being connected to the net is not doing down.
Which
is why we have to spread the word and educate people about securing their
systems, before the Internet melts through heat death caused by SK's using
nmap
;).


     Along these same lines, I have what I feel is a slightly better
plan.  Educate the vendors to not turn on all the services they enable be
default.  What does the average user need portmap for?  What does the
average user need rsh or rlogin for?  daytime, discard, chargen?  Stop
the madness!  Turn off those services by default and the world will be a
much safer place.  If a user actually needs one of those services, they
will probably have enough knowledge to use them properly, not always but
the odds are greater that they will.  Also don't advertise what OS or
version you're running in every possible banner.  We don't need to
advertise to the world that this a a Redhat 5.2 box running 2.0.34 on a
486, do we?  Picture in your mind a full portscan of an Irix or AIX box.
Now tell me, do we really need to enable every single service no to
mankind?  SNMP, echo, Appletalk Routing?!  I hope not.  The uneducated
users are a symptom.  The vendors are the problem.  Get the vendors to
change their ways about what they enable by default and then worry about
educating the uneducated that still have those services enabled.

     Fellow NetAdmins can help the problem a bit.  Do we really need to
allow port 111 in and out of our network?  Probably not.  What about
SNMP?  Maybe if you're a colo, but again probably not.  How about ports
1-19?  Most likely you don't need them either.  135-139?  doubtful.  You
should shield your Windows machines from receiving traffic from the 'Net
on these ports.  Simple little things like that can easily thwart many
kiddie attacks.

My $.02,
  Justin



--
Justin Shore, ES                Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.

Current thread:

Lots of rpc.statd probes lately Frank Louwers (Mar 01)
- Re: Lots of rpc.statd probes lately Steve Stearns (Mar 01)
- <Possible follow-ups>
- Re: Lots of rpc.statd probes lately James Paterson (Mar 01)
- Re: Lots of rpc.statd probes lately Justin Shore (Mar 01)
  - Re: Lots of rpc.statd probes lately Joseph Nicholas Yarbrough (Mar 02)